A Second Look at the Water Utility Hack in Florida with ICS Expert Mike Radigan
The hack at the Oldsmar, Florida, water treatment plant, an attempt to inject harmful levels of lye, drew headlines fretting over the possibility of cyber-terror striking a utility sector with “few protections against hacking,” as the Wall St. Journal said. Troubling, but what would be a realistic look at the risk, applying the discipline of FAIR thinking?
We asked industrial controls system (ICS) expert Michael Radigan, founder and executive director of consulting firm Business of Security and Co-Chair of the Greater Ohio FAIR Institute Chapter, for some perspective. Mike wrote a great blog post for the FAIR Institute explaining how to apply FAIR analysis to industrial control systems: Case Study: Demystifying ICS Cyber Risk with FAIR.
According to news reports, cybersecurity was dismal at the plant, and management looks negligent:
- All computers used the same password
- Computers were directly connected to the internet with no firewall
- Remote access application TeamViewer was in use and may been compromised
- Computers were connected to remotely operate the SCADA industrial control system
- The facility used a 32-bit version of Windows 7 -- support ended in 2020
- Emails and passwords had recently surfaced on the dark web, so an employee’s computer may have been infected with malware
To read the news and translate that roughly to FAIR terms, management had left the plant in a state of high-percentage Vulnerability.
But, as Mike points out, Resistance Strength of Oldsmar’s controls were pretty good: It was one of the plant operators who noticed online the hacker increasing the lye input and shut down the attack right away. Mike says that sensors and manual testing down the line would have signaled a dangerous concentration of lye and, as a last resort, plant operators could dump the contaminated water supply (and there is typically 24 hours of water out in pipes in the community, so this would not mean dry taps immediately).
Now, let’s talk about the Threat Actors – what’s the probability that they were nation-state or high-level criminal hackers, examples, as the Wall St. Journal said, of “the growing sophistication and brazenness of attacks on critical infrastructure”?
“My first thought would be a disgruntled employee who wants to expose weak security,” Mike says, or some opportunistic amateur, not major players
To successfully overcome a water utility’s defenses and poison a city, Mike says, would take a high level of expertise and motivation. “In industrial cybersecurity, it’s not enough to gain access, you have to understand the processes and the safety systems installed.” Think of the elaborate work behind the Stuxnet worm attack on Iranian nuclear facilities. “This isn’t New York City. Who would have the motivation to do anything to this utility, with a population of 15,000?”
So, Threat Capability of any probable attacker would be low. Probability of Action, to continue with FAIR factors, also low.
What about the probable Threat Event Frequency? “In FAIR analysis, we look for hard data. If you look at the number of incidents out of all water utilities when water been contaminated due to intentional malicious acts in the last 3 years – I don’t know if you can actually find one.”
Moving to the Magnitude side of the FAIR standard, Mike figures that one significant cost from management’s point of view would be Reputation Damage. “Analysis has to account for the reaction of both your organization and external stakeholders that you could be the first water facility in the country to have a water supply contaminated due to a cyber incident and that would be big news and the individuals responsible for poor decisions could certainly lose their jobs.”
Management actually would have a defense against claims of negligence by regulators or litigious stakeholders: They had recently completed a risk and resilience review for the EPA and have till the end of 2021 to implement any findings. The review has a good list of best practices, Mike says, and most likely would have pointed out the cybersecurity flaws – but that gets to a core issue with this story.
Certification as a FAIR expert will advance your career.
Beginner, advanced, and US government courses available.
“They have to prioritize and cyber threats are -- this is my opinion-- not on the top 10 list right now or even on the top 50 list for disrupting operations.” Pipes freezing, electric grid outages and many more events “are a bigger threat than cyber attack” for waterworks. “But as soon as you say cyber, it becomes a feeding frenzy.”
And this is where FAIR comes in, with its ability to quantify cyber, technology and other risks in financial terms to normalize loss exposure – and foster rational discussion. “I’d say let’s get a FAIR expert in the room and triage all these risks, get the top third identified, then do a high-level risk analysis with more granularity so they end up with a top 5 or 10, run the risk treatment exercise, and make the case for funding.”